The attacks could drop as soon as this week, ahead of the Champions League soccer final set to take place in Kiev, Ukraine. One other possible period is late June when the country celebrates Constitution Day. In the past, and as recent as June 2017 when the NotPetya virus disabled computers in the country and spread around the world, the attacks were launched on Ukraine holidays or days leading up to them.

Cisco’s Talos intelligence unit has “high confidence” that the Russian government is behind the campaign, Reuters reports.

That’s because the software shares code with malware used in previous attacks.

Ukraine’s state security service shares the concern, saying estimating that the large-scale attack could drop before Saturday’s soccer game:

Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilizing the situation during the Champions League final.

What’s interesting is that the infections were discovered in 54 countries, which would make it seem like Ukraine isn’t the real target. But a surge of infections in Ukraine on May 8th convinced Cisco that Russia is going after Ukraine again.

Called VPNFIlter lets hackers access infected computers remotely, and then use them to spy on networks, steal login credentials, launch attacks on other computers and load more malware.

The malware also includes an auto-destruct feature that renders the malware and software on infected devices inoperable.

If you think Russia doesn’t use the cyber tools at its disposal to interfere with a country like Ukraine, this light Wired reading from last June should come in handy.

Russia has vigorously denied accusations that it’s conducting large hacking operations around the world, or that it’s trying to interfere with elections. If the VPNFilter attack is indeed triggered, we can probably expect more denials.